Govt seeks tech to keep its data safe

SINGAPORE - People are often said to be the weakest link in the IT security chain.

So, to reduce threats due to negligence, the authorities here are making it much tougher for unauthorised users to access information from civil servants' laptops and computers.

Officials have put out a bulk tender on behalf of government ministries, departments, statutory boards, organs of state and universities for advanced disk encryption software.

The number of people losing their electronic devices globally underscores the importance of such software, which makes computer data unreadable to thieves.

In tender documents seen by The Straits Times, potential contractors are to supply full disk encryption as well as two-factor authentication (2FA) technologies that will work together to prevent unauthorised access.

At the encryption level, people will have to enter the right personal identification number (PIN).

They will then be prompted to use something else - a public sector smartcard or a security token - to verify that they are the rightful users. This step provides an added layer of security in what is known as 2FA.

The public sector smartcard is already being used by tens of thousands of civil servants to read their government secure e-mail. They insert the cards in card readers built into their computers.

But in the tender documents, the Infocomm Development Authority (IDA) stated that the card must be inserted even before the computer is allowed to boot up. This will secure all other data stored in civil servants' computers, not just their e-mail.

Security tokens - which bank customers are familiar with for generating one-time passwords - are also expected to prevent computers from booting up when they are in the wrong hands.

The tender closes on Aug 29.

"When we think of data breaches, we tend to picture attackers breaking into an organisation's network," said Eugene Teo, senior manager of security response at United States-based security firm Symantec. "But the carelessness of individual users is (also) exposing organisations to major data breaches," he added.

Theft or loss of computers or hard drives accounted for over a quarter of the 253 personal data breaches globally last year, according to Symantec's 2014 Internet Security Threat Report. It was one of the top three causes of data loss last year; the other two were hacking and accidental disclosure, for instance by sending data to the wrong e-mail address.

In 2012, device loss also accounted for about one-quarter of data breaches. But last year's breaches were almost double those in 2012.

One high-profile case last year was the loss of a portable hard drive with the personal data of half a million student loan borrowers by a Canadian government agency. The drive lacked password and encryption protection.